What now for data protection?

Depending how foresighted the contracts team has been in wording the data protection clauses in your supply contracts, they may state ‘that the supplier must not store data outside the EU’ or more ‘not send data to any country that is not compliant with the EU Data Protection legislation. Take the former and post Brexit Britain... it is unlikely that we see an exodus of datacentres to the continent but some contract rewording perhaps.

A bigger change for data protection legislation is coming from EU’s new General Data Protection Regulation (GDPR). You may be tempted to think ‘Phew, it won’t now matter as we will be out of the EU’ but most of us are not getting off quite that lightly – the EU directive applies not only to those organisations operating within the EU, but also to organisations outside the EU that offer goods or services to EU citizens.

So let’s have a look at three areas that are especially relevant for digital marketing:

Individuals have a right to have personal data erased, and these rights go further than under the current UK Data Protection Act. This has plenty of implications for any data captured on a website form or survey and into your marketing database and into CRM.

There is also a right for data portability. This means that you need to provide a person’s personal data in a common, machine usable format when they so request. ICO specifically mentions .CSV files but you may be able to argue an XML file could be considered too. Note that transfer of the personal data this way still needs to be done in a safe and secure way – so you would be wise to have a secure download rather than email the information.

The rules about data breaches are being clarified. A breach is not just about losing a USB stick or laptop on a train. Any event where someone has had unauthorised access to personal data constitutes a breach – and depending on the possible consequences of that breach you may need to notify ICO or the individuals.

This may all sound very far fetched and theoretical, but have you ever come across situations where a client lists has been emailed to an external agency, or to a private email account of a member of staff or, woops, emailed to a wrong recipient by accident?

Thanks to the efforts of the organisations and online communities, people are far more aware of data protection and online security nowadays than a decade ago. But with so much of our lives online, we all must keep on improving the safeguards – whether required by law or not.